The Connect for Chromebooks extension is a custom utility that can be deployed to all Chromebooks on your network. Once the user is logged into the Chromebook, Connect for Chromebooks handles any subsequent authentication requests.

Tip: The Google verification knowledge base article provides step-by-step instructions for setting up Google verification with Connect for Chromebooks, including how to get the Client ID and Client Secret needed before continuing with the configuration on this page.

To prevent users from bypassing the web filter, you should ensure the Chromebook devices are enrolled, and unwanted extensions and applications are blocked from installing.

Note: Google Chromebooks allow multiple users to log into a single Chromebook device at any one time. For Connect for Chromebooks to work seamlessly, this feature needs to be turned off. For a detailed description of how to do this, refer to the Google documentation on http://admin.google.com.

The HTTPS certificate presented by the Smoothwall must be validated by the Chromebooks. To do this, you must download the HTTPS certificate from your Smoothwall, and upload it to Google’s Admin console for distribution to the Chromebook devices.

Note: The Smoothwall appliance must be configured with a fully qualified hostname, for example, my.smoothwall.com. For a detailed description of how to change the hostname, see Changing the System Hostname.

Tip: Ensure the DNS server used by the Chromebooks maps the Smoothwall’s fully qualified hostname to the Smoothwall internal IP address used by the Chromebooks to connect to. All references to the client login page (see Using Connect for Chromebooks) must be made using the fully qualified hostname.

You must first verify that the certificate uses the correct hostname. Although the procedure for checking the hostname differs from browser to browser, you generally:

1.

Browse to the Smoothwall administration user interface using the fully qualified hostname via HTTPS, on port 442, for example:

https://my.smoothwall.com:442

2.

Click the padlock icon from the URL bar.

3.

Click View certificates.

4.

Confirm that the hostname used in the certificate is the fully qualified hostname. This is the name listed against Issued to.

If the fully qualified hostname is not used by the certificate, see Changing the System Hostname for a detailed description of how to change the hostname.

If the fully qualified hostname appears in the certificate, download the certificate as follows:

1.

Go to Services > Authentication > Chromebook.

2.

Scroll down to the HTTPS certificate section.

3.

Click Download certificate.

4.

If you manage your Google directory from the same machine, click Open the Google Admin console in a new window.

If not, copy the downloaded HTTPS certificate to the relevant machine, and go to the Google Admin console.

5.

Upload the certificate to the Google Admin console’s Manage Certificates module to deploy it to all Chromebooks in your organization. Our knowledge base article provides a detailed description of how to upload this certificate to the Google Admin console.

Tip: Ensure Use this certificate as an HTTPS certificate authority is selected for the Smoothwall’s HTTPS certificate in the Manage certificates dialog of the Google Admin console.

Note: The above instructions are correct at the time of writing. Google feature names and links may change over time.

You can choose to accept logins only from approved domains, by listing them in your Smoothwall. This way, users from non-approved domains can still log into their Chromebooks using their Google credentials, but are placed in the Unauthenticated IPs group (see Managing Groups of Users ) and filtered accordingly.

Alternatively, you can list the domains in your Google Admin Console. However, it should be noted that using this methodology, users from unlisted domains are unable to log into their Chromebook devices.

1.

Go to Services > Authentication > Chromebook.

2.

Scroll down to the Domain logins section.

3.

Select Approved domains.

4.

Within the Allow logins from the following domains: box, list the accepted domains, with each one on a new line.

5.

Remove domain name — Use this option if your directory service does not require the domain name, that is, @domain.com, to form part of the username for authentication purposes, such as, Google Apps and Active Directory.

Note: If you are using the Google directory service for user group mappings, do not enable this option as the full email address is required as the username.

The Smoothwall must be assigned a Google Client ID and Client Secret, obtained through the Google Developer console. This allows the Smoothwall and Connect for Chromebooks to send authorization request to Google OpenAuth (OAuth) servers.

You must create these before continuing with the Connect for Chromebooks configuration. Our knowledge base article provides a detailed description of how to do this.

Tip: The Client ID and Client Secret are created as a web application within the OAuth module of the Google Developer console.

1.

Scroll down to the Google web application settings panel.

2.

Copy and paste the Google Client ID into the Client ID text box.

3.

Copy and paste the Google Client Secret into the Client Secret text box.

You can customize the login page users see when they first log onto the network via a Chromebook, to suit your organizational needs.

The following is an example of the expected layout of the login page:

You can change the logo, heading and main body of text. However, only static text and images can be used. You cannot use links to other HTML pages. The Google Sign in button must remain in case a manual login is required.

You must ensure you have configured a directory on the Services > Authentication > Directories page, and synchronized the domain users and groups. Typically, this is either a Google Apps domain, or an Active Directory domain using Google Active Directory Sync. For more information, see About Directory Services .

You must also ensure the time set on the Smoothwall matches the Google Apps domain time as this causes the username synchronization to fail.

Connect for Chromebooks does not require you to install the extension on a server for deployment to all Chromebooks. Instead, you must link to it from the Google Admin console, http://admin.google.com, which then includes it in the Chromebook configuration pushed out to all clients.

Using the Google Admin Console, you can configure a common home page for all Chromebooks (referred to as Pages to Load on Startup in the Console). If you make use of this or a captive portal on startup, be aware that these may load faster than Connect for Chromebooks can authenticate the user. This may result in the page load being treated as originating from an unauthenticated user. However, after that, filtering does continue as normal.